You can view audit logs within a specified time period and filter audit logs that match specified conditions.

Background information

Instance audit logs record requests made to databases in the instance. You can use the audit logs of an instance to identify the causes of sudden increases in resource consumption or find the records of data modification or deletion in the instance.

Prerequisites

Before the official launch of the audit log feature, the free trial edition was activated for the instance.
Note Starting from January 6, 2022, the official edition of the audit log feature has been launched in all regions, and new applications for the free trial edition have ended. For more information, see Notice on official launch of the pay-as-you-go audit log feature and no more application for the free trial edition.

Procedure

  1. Log on to the ApsaraDB for MongoDB console.
  2. In the upper-left corner of the page, select the resource group and region to which the instance belongs.
  3. In the left-side navigation pane, click Replica Set Instances or Sharded Cluster Instances based on the instance type.
  4. Click the ID of an instance, or click More icon in the Actions column corresponding to the instance and select Manage.
  5. In the left-side navigation pane of the instance details page, choose Data Security > Audit Logs.
  6. On the Mongo audit log center page, use one of the following methods based on your business requirements to view audit logs:
    • View audit logs within the default time range.

      After the Mongo audit log center page appears, view audit logs within the default time range of 15 minutes.

    • Filter audit logs to search for the desired log entries.
      On the Mongo audit log center page, specify the filter conditions. Filter condition
      Filter condition Description
      Keyword Specify the keywords that are included in the audit logs you want to view. The keywords can be a client IP address, a command, a username, or other extended information.
      Enter complete information when you use keywords for log search. For example, to view audit logs of the 192.168.1.1 client IP address that is used to connect to the ApsaraDB for MongoDB instance, enter 192.168.1.1 instead of 192.168 in the Keyword field.
      Note If a keyword contains a colon (:), enclose the keyword in a pair of double quotation marks (""). Example: "userId:1".
      Operation Type View audit logs of a specific operation type. Valid values:
      • query: query operations
      • find: find operations
      • insert: insert operations
      • update: update operations
      • delete: delete operations
      • remove: remove operations
      • getMore: read operations
      • command: protocol commands, such as the aggregate method
      Client IP Address View audit logs of a specific client IP address that is used to connect to the ApsaraDB for MongoDB instance.
      Database Name View audit logs of a specific database in the ApsaraDB for MongoDB instance.
      Set Name View audit logs of a specific set in the ApsaraDB for MongoDB instance.
      Username View audit logs of a specific database account of the ApsaraDB for MongoDB instance.
    • View audit logs within a specific time range by using the time picker.
      1. On the Mongo audit log center page, click Time Range.
        Note
        • You can click Refresh in the upper-right corner to specify a refresh frequency for audit logs.
          • Once

            Specifies to immediately refresh audit logs.

          • Auto Refresh
            Specifies to refresh audit logs every 15 seconds, 60 seconds, 5 minutes, or 15 minutes.
            Note If you do not want to use the auto-refresh interval specified by this parameter, choose Refresh > Close to clear the current parameter setting, and then reset this parameter.
        • You can click Reset Time in the upper-right corner to restore the default settings. In this case, audit logs for the last 15 minutes are queried and no refreshes are performed.
      2. In the Time panel, select a time range.
        Section name Description
        Time details Move the pointer over a time period in the Relative or Time Frame section to view the specific time range for audit log query.
        Relative View the log data that was generated during a time range that ends with the current time, such as the previous 1, 5, or 15 minutes. For example, if the current time is 19:20:31 and 1 Hour is selected as the relative time, the charts on the dashboard display the log data that was generated from 18:20:31 to 19:20:31.
        Time Frame View the log data that was generated during a time range that ends with the current time, such as the previous 1 or 15 minutes. For example, if the current time is 19:20:31 and 1 Hour is selected as the time frame, the charts on the dashboard display the log data that was generated from 18:00:00 to 19:00:00.
        Custom View the log data that was generated during a specified time range. For example, if the specified custom time range is from 11:37 to 11:52 on January 04, 2022, the log data that was generated from 11:37 to 11:52 on January 04, 2022 can be viewed.
        To specify a custom time range, click Custom, enter a custom time range in the field, and then click OK.
        Note The current query time is accurate to the minute. To use a query time that is accurate to the second, set the timestamps in your SQL statement. Example: * | SELECT * FROM log WHERE __time__>1558013658 and __time__< 1558013660.
    • View audit logs from a specified chart within a specified time range.
      1. On the Mongo audit log center page, click More icon and select Select Time Range.
      2. In the Time panel, specify a time range.
        Note To reset the time range to query for a chart to the default setting of 15 minutes, click 424 in the upper-right corner of the chart.

FAQ

Q: Why is it that I can view only 2,000 audit log entries?

A: The Mongo audit log center page in the ApsaraDB for MongoDB console displays only up to 2,000 audit log entries. To view more audit log entries, log on to the Log Service console. For more information, see Query and analyze logs.